Can I use Cloudflare with Let's Encrypt on Forge

How Laravel Forge Supports Let's Encrypt with Cloudflare

Laravel Forge supports issuing Let's Encrypt wildcard certificates by integrating with DNS providers including Cloudflare. When using wildcard certificates (*.domain.com), Let's Encrypt requires the DNS-01 challenge to verify domain ownership. Forge accommodates this by managing DNS records on Cloudflare through its API, if an API token with appropriate permissions is provided.

The API token for Cloudflare must have the permissions `Zone.Zone.Read` and `Zone.DNS.Edit` at minimum, and should apply to all zones you intend to manage. This setup allows Forge to automatically create the necessary DNS TXT records for the DNS-01 challenge to prove ownership of the domain and its subdomains. Without this, certificate issuance for wildcard domains would fail.

How Let's Encrypt Works Behind Cloudflare

Cloudflare acts as a reverse proxy and DNS provider. This adds a layer between the user and the original server (where Forge deploys your site). When you run Let's Encrypt on a server behind Cloudflare, there are two common challenges for certificate issuance and renewal:

1. HTTP-01 Challenge: Let's Encrypt places a verification file in the `.well-known/acme-challenge/` directory on your web server. Cloudflare proxies requests to your server, so it must allow the challenge traffic to pass through without interference. This is automatic if you have Cloudflare proxying enabled (orange cloud).

2. DNS-01 Challenge: For wildcard certificates, Let's Encrypt verifies a DNS TXT record. Forge's integration with Cloudflare automates this by using the API token to add/remove TXT records during issuance and renewal.

Thus, Cloudflare does not obstruct Let's Encrypt challenges if configured correctly.

SSL Modes in Cloudflare with Let's Encrypt

Cloudflare offers several SSL modes for handling encryption between the client (visitor) and Cloudflare, and between Cloudflare and your origin server (Forge):

- Flexible SSL: Encrypts traffic between client and Cloudflare but not between Cloudflare and origin. Not recommended with Let's Encrypt because it leaves that leg unencrypted.
- Full SSL: Encrypts traffic both between client to Cloudflare and Cloudflare to origin, but does not validate the origin certificate.
- Full (Strict) SSL: Encrypts traffic both ways and requires a valid certificate on the origin server, such as a Let's Encrypt certificate issued via Forge.

For full security, use Full (Strict) SSL. This setting ensures Cloudflare validates the Let's Encrypt certificate on your Forge server and does not allow connections if the certificate is invalid. This setup maintains end-to-end encryption.

SSL Certificates Visible to the Public

When using Cloudflare with the proxy enabled (orange cloud), visitors will see Cloudflare's own edge SSL certificate rather than the Let's Encrypt certificate installed on your server. Cloudflare's certificate secures traffic from the visitor to Cloudflare, while your Let's Encrypt certificate secures traffic from Cloudflare to your server.

If you want visitors to see your Let's Encrypt certificate (rarely necessary), you would have to disable the Cloudflare proxy (grey cloud), which disables many Cloudflare features like CDN, DDoS protection, and caching.

Installing and Renewing Certificates with Forge and Cloudflare

1. Create an API token in Cloudflare with DNS edit permissions.
2. Configure the token in Laravel Forge in site settings under SSL.
3. Use Forge's interface to issue a Let's Encrypt certificate for your domain.
4. Forge uses the token to create and verify DNS challenges on Cloudflare.
5. When certificates are due for renewal, Forge reuses the token to update DNS TXT records.
6. Cloudflare proxy settings and DNS must be configured to allow traffic to your server for HTTP-01 challenges if needed.

Common Issues and Solutions

- Incorrect API Token Permissions: If Forge cannot deploy the certificate, check that the token has `Zone.Zone.Read` and `Zone.DNS.Edit` permissions for all target zones.
- Wildcard Certificate on Many Subdomains: Let's Encrypt wildcard certificates only cover one level of subdomains. Nested subdomains may require separate certificates.
- Cloudflare Proxy Causing Challenge Failures: Sometimes proxying traffic to third-party CNAME targets or certain configurations can cause challenge failures. Temporarily disabling the proxy (grey cloud) on those records during certificate issuance may be necessary.
- SSL Mode Mismatch: Ensure Cloudflare SSL is set to Full (Strict) if you want proper encryption validation end-to-end.

Benefits of Using Cloudflare with Let's Encrypt on Forge

- Automated Certificate Management: Forge's integration with Cloudflare DNS API automates the tricky parts of renewing wildcard certificates.
- Improved Security: Full (Strict) SSL mode ensures end-to-end encryption between users, Cloudflare, and your server.
- Performance and Protection: Cloudflare provides caching, DDoS mitigation, firewall rules alongside SSL.
- Free SSL: Let's Encrypt certificates are free and Cloudflare's Universal SSL provides additional layers of encryption automatically.

Summary

It is fully supported and recommended to use Cloudflare with Let's Encrypt on Laravel Forge. Forge's built-in support for Let's Encrypt includes direct integration with Cloudflare DNS, simplifying wildcard certificate issuance by handling DNS challenges automatically. Cloudflare acts as a reverse proxy and provides SSL edge certificates, while Let's Encrypt certificates secure the server behind it. Using Full (Strict) SSL mode on Cloudflare ensures the highest security by validating the origin's Let's Encrypt certificate.

Proper configuration involves setting the right API token permissions in Cloudflare, choosing appropriate Cloudflare SSL settings, and understanding the two legs of the SSL connection (client to Cloudflare and Cloudflare to server). By following these steps, SSL certificates can be smoothly managed and renewed on Forge with Cloudflare in front, providing reliability, security, and performance for your Laravel applications.